FTC May Amend Financial Institutions Data Security Rule

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Aug. 29 — The Federal Trade Commission announced Aug. 29 that it is opening a public comment period to evaluate its rules for safeguarding customer information under the Gramm-Leach-Bliley Act (GLB).

The Safeguards Rule, 16 C.F.R. § 314.3, requires financial institutions to have mechanisms to secure customer information. The financial institutions covered by the rule must also ensure that their affiliates and service providers protect consumer data. The FTC has enforcement powers over the privacy provisions of the GLB.

In addition to the Safeguards Rule, the FTC may regulate unfair and deceptive acts or practices under Section 5 of the FTC Act. The FTC has used Section 5 to bring data security enforcement actions against companies whose data security practices are unfair or deceptive to consumers.

The FTC is seeking comment on the economic impact and benefit of the Safeguards Rule as well as whether state and local laws conflict with the rule. The agency also wants to analyze whether technology, economic or industry changes have affected the rule.

But no changes to the Safeguards Rule may be necessary given its flexibility, Nathan D. Taylor, a privacy and data security partner at Morrison & Foerster LLP in Washington, told Bloomberg BNA Aug. 29.

The Safeguards Rule “by design puts in place a risk-based process that is both flexible and adaptable.” The rule, instead of requiring specific safeguards, calls for “risk assessments and the implementation of safeguards to address identified risk,” he said.

Because of this flexibility, “the rule is specifically designed to be able to respond to changes in technology and changes in the threat landscape,” Taylor said.

The Safeguards Rule review is part of an agency-wide assessment of all FTC rules. The public comment period will run until Nov. 7.

Regulatory Power Struggle

Although the FTC has seen increased challenges from other federal agencies to be the primary privacy and data security federal regulator, the changes to the Safeguards Rule is just “part of the FTC's ongoing regulatory review,” Taylor said.

The Federal Communications Commission increased its data security enforcement actions in 2015 by collecting $30 million in fines against telecommunications companies for data breaches (14 PVLR 2192, 12/7/15). In addition, the FCC March. 31 proposed a general data security standard for broadband internet service providers (15 PVLR 717, 4/4/16). The agency hopes the broadband data security rules will be completed by the end of 2016, even with pushback from some U.S. legislators (15 PVLR 1486, 7/18/16).

The Consumer Finance Protection Bureau in 2016 issued its first data security enforcement action against a financial services company. The CFPB March 2 levied a $100,00 fine on Dwolla Inc. for making false representations about the company's data security practice in violation of the Consumer Finance Protection Act (15 PVLR 503, 3/7/16).

The Dwolla decision didn't necessarily motivate the FTC to look at the financial services data security rule, Taylor said. However, it's possible “the FTC identified GLB data security as a candidate for this round of regulatory review based on the federal banking agencies' recent indications that they will update their own safeguards rule,” he said.

Company Pushback

The FTC has also seen challenges from companies that don't think the agency has broad authority to enforce allegedly lax data security standards. However, the agency July 29 reasserted it's data security authority in an enforcement action against medical testing company LabMD Inc.

The FTC ruled that to demonstrate unfairness to consumers under Section 5 of the FTC Act its enforcement staff needn't demonstrate specific harm to consumers from a data breach in order to take action against a company. Allegedly lax data security leading to a breach is enough on its own without more to show unfair business practices, the commission held (15 PVLR 1593, 8/8/16).

The LabMD decision followed the U.S. Court of Appeals for the Third Circuit's Aug. 24, 2015 decision in FTC v. Wyndham Worldwide Corp., where the court held the Commission has authority under the unfairness prong of Section 5 of FTC Act to take enforcement action against companies over their alleged lax data security practices (14 PVLR 1592, 9/7/15).

Unlike many European Union countries that have a designated data security regulator, the FTC may continue to face challenges from consumer and other U.S. regulators over who has the power to enforce and regulate data security practices.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.